Skip to content

Security

Related Notes

index | architecture | operations | architecture

Overview

Calico provides the most complete network security model among Kubernetes CNI plugins. It extends Kubernetes NetworkPolicy with its own rich policy CRDs (NetworkPolicy, GlobalNetworkPolicy), supports tiered policy enforcement with RBAC, offers WireGuard encryption for pod traffic, and integrates with service mesh mTLS via Dikastes. Tigera Enterprise adds additional RBAC, audit logging, and threat-detection capabilities.

Network Policy Layers

Kubernetes NetworkPolicy

Calico fully implements the Kubernetes NetworkPolicy resource:

  • Namespaced -- each policy applies to pods in a single namespace.
  • Ingress and egress rules -- restrict traffic based on pod selectors, namespace selectors, IP blocks (CIDR), and port/protocol.
  • Default deny -- achieved by creating a policy that selects pods with no rules (empty ingress/egress), denying all traffic not explicitly allowed.

Calico NetworkPolicy (projectcalico.org/v3)

Calico extends the standard Kubernetes model with its own NetworkPolicy resource in the projectcalico.org API group. This resource is namespaced but adds capabilities beyond the Kubernetes standard:

  • Policy ordering -- order field controls evaluation priority. Lower-order policies are evaluated first.
  • Deny and log actions -- rules can explicitly Deny traffic (not just allow) and Log matching packets.
  • ServiceAccount selectors -- match traffic by source or destination ServiceAccount labels, not just pod labels.
  • Port ranges and named ports -- support for port ranges and Kubernetes named ports.
  • HTTP match criteria -- L7 rules for matching HTTP methods, paths, and headers when used with the application layer policy engine.

GlobalNetworkPolicy (projectcalico.org/v3)

GlobalNetworkPolicy is a non-namespaced policy that can apply across all namespaces, to specific host interfaces, and to non-Kubernetes workloads (VMs, host endpoints):

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: default-deny
spec:
  selector: projectcalico.org/namespace not in {'kube-system', 'calico-system'}
  types:
  - Ingress
  - Egress

Key capabilities:

  • Cross-namespace enforcement -- a single policy can govern pods across all namespaces.
  • Host endpoint policy -- applies to host interfaces (physical NICs) for securing node-level traffic.
  • Pre-DNAT policy -- evaluate rules before DNAT (destination NAT), enabling policy on the original destination IP/Port (useful for NodePort and LoadBalancer services).
  • DoS and apply-on-forward -- policies for forwarded traffic and rate limiting.

Policy Tiers

Calico supports tiered policy enforcement for organizational control. Tiers group policies and define evaluation order:

  • Tier evaluation order -- tiers are evaluated in ascending order. Policies in lower-ordered tiers are evaluated first.
  • Default tier -- all policies without an explicit tier are placed in the default tier.
  • Action on match -- tiers can be configured with defaultAction (Allow, Deny, Pass). A Pass action defers to the next tier.

Tiered policies enable platform teams to enforce baseline security (e.g., "deny all external traffic") while allowing application teams to manage allow-lists within their own tier, without being able to override the platform baseline.

RBAC for Policy Management

Calico integrates with Kubernetes RBAC for policy authoring. Using ClusterRole and Role definitions, administrators can control who can create, modify, and view policies:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tier-default-reader
rules:
- apiGroups: ['projectcalico.org']
  resources: ['tiers']
  resourceNames: ['default']
  verbs: ['get']
- apiGroups: ['projectcalico.org']
  resources: ['tier.networkpolicies']
  resourceNames: ['default.*']
  verbs: ['get', 'list']

RBAC resource name scoping:

resourceName pattern Scope
(blank) Any policy across all tiers
tiername.* Any policy within the named tier
tiername.policyname A specific policy

Tigera Enterprise RBAC

Tigera Enterprise (the commercial offering) adds:

  • Fine-grained policy RBAC -- per-tier and per-namespace policy authoring restrictions.
  • Policy audit logging -- tracks who created, modified, or deleted policies and when.
  • Policy recommendation engine -- suggests policies based on observed traffic patterns.
  • Staged policies -- preview the impact of a policy before enforcement, with dry-run logging.

WireGuard Encryption

Calico supports WireGuard for encrypting inter-node pod traffic in transit.

apiVersion: operator.tigera.io/v1
kind: Installation
spec:
  calicoNetwork:
    wireguard: Enabled

Key characteristics:

  • Transparent -- encryption is handled by the kernel WireGuard module. No application changes required.
  • Per-node key pairs -- each node generates its own WireGuard key pair. Public keys are stored in the Calico datastore for peer discovery.
  • Selective encryption -- can be enabled per-node or for specific IP pools.
  • Performance -- WireGuard uses modern cryptography (ChaCha20-Poly1305) and is significantly faster than IPsec for most workloads.
  • Key storage -- private keys are stored as Kubernetes Secrets in the calico-system namespace.

Kernel requirement

WireGuard requires Linux kernel 5.6+ or the wireguard.ko module compiled for the running kernel.

Network Sets and DNS Policies

NetworkSet

NetworkSet and GlobalNetworkSet define groups of CIDR ranges or IP addresses that can be referenced in policies. This is useful for representing external networks, partner IP ranges, or known threat lists:

apiVersion: projectcalico.org/v3
kind: GlobalNetworkSet
metadata:
  name: known-bad-ips
spec:
  nets:
  - 198.51.100.0/24
  - 203.0.113.0/24

DNS-based Policy

Calico supports DNS-based egress policies, allowing pods to be restricted to specific domain names rather than IP addresses. The DNS policy engine monitors DNS responses and dynamically updates policy rules as domain-to-IP mappings change.

Application-Layer Policy (Dikastes)

Dikastes is Calico's application-layer policy enforcement agent, used with service mesh integrations:

  • Integration with Envoy -- Dikastes runs as an Envoy filter and enforces L7 (HTTP, gRPC) policies defined in Calico NetworkPolicy.
  • mTLS with Istio -- when used with Istio, Calico can enforce network policy based on the service mesh identity (SPIFFE ID) rather than just IP addresses.
  • Sidecar or sidecar-free -- supports both traditional sidecar and ambient mesh architectures.

Threat Model

Threat Mitigation
Lateral pod-to-pod movement Default-deny GlobalNetworkPolicy, tiered policies
Unauthorized egress to internet Egress policies with DNS and CIDR rules
Pod impersonation / IP spoofing Felix programs per-endpoint routes and rp-filter on veth interfaces
Unencrypted inter-node traffic WireGuard encryption
Privileged pod network access Host endpoint policies restrict pod-to-host traffic
Supply chain / compromised image Staged policies (Tigera Enterprise) for preview and dry-run
Insider policy tampering RBAC-scoped tier policies, audit logging

Sources